RE: [ActiveDir] Attribute for Name Component of userPrincipalName?
There's a problem with this idea- the UPN (or, more specifically, the portion before the @) does not necessarily match the CN component of a DN, so there would be no reliability in your approach. Why are you unable to retrieve DNs? Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B Allen Sent: Thursday, October 12, 2006 6:05 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Attribute for Name Component of userPrincipalName? Does anyone know of an object class that defines an attribute like userPrincipalName but just the name component and not the realm? For example, if an object had a userPrincipalName of '[EMAIL PROTECTED]' the desired attribute would be guaranteed to be 'Managers'. I'm caching group objectSids in a temporary in-memory DIT. The entries need unique DNs but I don't know the real DNs. All I have is the userPrincipalName so I was thinking I could just derive a DN from the userPrincipalName like: [EMAIL PROTECTED] - FOO=Managers,DC=example,DC=com Right now it doesn't really matter if this is truely conformant or not, I'm just thinking about forward compatibility. Thanks, Mike -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Attribute for Name Component of userPrincipalName?
Let me start with I am confused by what you are doing. But let me mention thoughts based on what you have written... The userPrincipalName uniqueness is based on the ENTIRE UPN, not just the first component. Unless you are POSITIVE that the UPNs will be unique up to the realm then you may want to find something else for your key. In ADAM you can use single name without realm UPNs and ADAM will enforce that uniqueness for you. But that is ADAM, not AD. If you want to look up the real DNs, you can obviously do so with the full UPN. Just do a GC query of [EMAIL PROTECTED] joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B Allen Sent: Thursday, October 12, 2006 6:05 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Attribute for Name Component of userPrincipalName? Does anyone know of an object class that defines an attribute like userPrincipalName but just the name component and not the realm? For example, if an object had a userPrincipalName of '[EMAIL PROTECTED]' the desired attribute would be guaranteed to be 'Managers'. I'm caching group objectSids in a temporary in-memory DIT. The entries need unique DNs but I don't know the real DNs. All I have is the userPrincipalName so I was thinking I could just derive a DN from the userPrincipalName like: [EMAIL PROTECTED] - FOO=Managers,DC=example,DC=com Right now it doesn't really matter if this is truely conformant or not, I'm just thinking about forward compatibility. Thanks, Mike -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Attribute for Name Component of userPrincipalName?
There is an API that converts UPN to DN (DsCrackNames, also wrapped by IADsNameTranslate in ADSI). I'm not sure if that helps or not. Like Laura said, you do need to look something up though. Joe K. - Original Message - From: Laura A. Robinson [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, October 12, 2006 5:30 PM Subject: RE: [ActiveDir] Attribute for Name Component of userPrincipalName? There's a problem with this idea- the UPN (or, more specifically, the portion before the @) does not necessarily match the CN component of a DN, so there would be no reliability in your approach. Why are you unable to retrieve DNs? Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B Allen Sent: Thursday, October 12, 2006 6:05 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Attribute for Name Component of userPrincipalName? Does anyone know of an object class that defines an attribute like userPrincipalName but just the name component and not the realm? For example, if an object had a userPrincipalName of '[EMAIL PROTECTED]' the desired attribute would be guaranteed to be 'Managers'. I'm caching group objectSids in a temporary in-memory DIT. The entries need unique DNs but I don't know the real DNs. All I have is the userPrincipalName so I was thinking I could just derive a DN from the userPrincipalName like: [EMAIL PROTECTED] - FOO=Managers,DC=example,DC=com Right now it doesn't really matter if this is truely conformant or not, I'm just thinking about forward compatibility. Thanks, Mike -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Attribute for Name Component of userPrincipalName?
On Thu, 12 Oct 2006 18:36:24 -0400 joe [EMAIL PROTECTED] wrote: The userPrincipalName uniqueness is based on the ENTIRE UPN, not just the first component. Unless you are POSITIVE that the UPNs will be unique up to the realm then you may want to find something else for your key. In ADAM you can use single name without realm UPNs and ADAM will enforce that uniqueness for you. But that is ADAM, not AD. The entries would be under a domain container and therefore they are unique. The organisation might look like the following: DC=example,DC=com CN=Supplemental,DC=example,DC=com FOO=Managers,CN=Supplemental,DC=example,DC=com objectClass=group objectSid=binarysid [EMAIL PROTECTED] where FOO is some attribute that means The name component of the UPN. Is there such an attribute? Is 'uid' guaranteed to be the name component a user's UPN? For now I'm using sAMAccountName (e.g. sAMAccountName=Managers,CN=Supplemental,DC=example,DC=com) but this is not optimal since sAMAccountName may not match the name component of the UPN and it is yearning to be deprecated. If you want to look up the real DNs, you can obviously do so with the full UPN. Just do a GC query of [EMAIL PROTECTED] The whole point is to provide a cache of group sids so any querying would defeat the purpose. Mike PS: Any confusion over this post is no doubt attributed to the fact that I'm not actually using a real LDAP store for anything described here. I have written an LDAP C API wrapper that can operate on data structures in memory. Meaning I have written a very simple LDAP server. -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Attribute for Name Component of userPrincipalName?
UPN is arbitrary, so you can't assume the alias part will be the same as sAMAccountName (although we do that in our org by convention). There is no such attribute representing what you want. Joe K. - Original Message - From: Michael B Allen [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Cc: [EMAIL PROTECTED] Sent: Thursday, October 12, 2006 7:31 PM Subject: Re: [ActiveDir] Attribute for Name Component of userPrincipalName? The entries would be under a domain container and therefore they are unique. The organisation might look like the following: DC=example,DC=com CN=Supplemental,DC=example,DC=com FOO=Managers,CN=Supplemental,DC=example,DC=com objectClass=group objectSid=binarysid [EMAIL PROTECTED] where FOO is some attribute that means The name component of the UPN. Is there such an attribute? Is 'uid' guaranteed to be the name component a user's UPN? For now I'm using sAMAccountName (e.g. sAMAccountName=Managers,CN=Supplemental,DC=example,DC=com) but this is not optimal since sAMAccountName may not match the name component of the UPN and it is yearning to be deprecated. If you want to look up the real DNs, you can obviously do so with the full UPN. Just do a GC query of [EMAIL PROTECTED] The whole point is to provide a cache of group sids so any querying would defeat the purpose. Mike PS: Any confusion over this post is no doubt attributed to the fact that I'm not actually using a real LDAP store for anything described here. I have written an LDAP C API wrapper that can operate on data structures in memory. Meaning I have written a very simple LDAP server. -- Michael B Allen PHP Active Directory SSO http://www.ioplex.com/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
